1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #ifndef SQUID_ANYP_TRAFFIC_MODE_H
10 #define SQUID_ANYP_TRAFFIC_MODE_H
11 
12 namespace AnyP
13 {
14 
15 /**
16  * Set of 'mode' flags defining types of trafic which can be received.
17  *
18  * Use to determine the processing steps which need to be applied
19  * to this traffic under any special circumstances which may apply.
20  */
21 class TrafficMode
22 {
23 public:
24     /** marks HTTP accelerator (reverse/surrogate proxy) traffic
25      *
26      * Indicating the following are required:
27      *  - URL translation from relative to absolute form
28      *  - restriction to origin peer relay recommended
29      */
30     bool accelSurrogate = false;
31 
32     /** marks ports receiving PROXY protocol traffic
33      *
34      * Indicating the following are required:
35      *  - PROXY protocol magic header
36      *  - src/dst IP retrieved from magic PROXY header
37      *  - indirect client IP trust verification is mandatory
38      *  - TLS is not supported
39      */
40     bool proxySurrogate = false;
41 
42     /** marks NAT intercepted traffic
43      *
44      * Indicating the following are required:
45      *  - NAT lookups
46      *  - URL translation from relative to absolute form
47      *  - Same-Origin verification is mandatory
48      *  - destination pinning is recommended
49      *  - authentication prohibited
50      */
51     bool natIntercept = false;
52 
53     /** marks TPROXY intercepted traffic
54      *
55      * Indicating the following are required:
56      *  - src/dst IP inversion must be performed
57      *  - client IP should be spoofed if possible
58      *  - URL translation from relative to absolute form
59      *  - Same-Origin verification is mandatory
60      *  - destination pinning is recommended
61      *  - authentication prohibited
62      */
63     bool tproxyIntercept = false;
64 
65     /** marks intercept and decryption of CONNECT (tunnel) SSL traffic
66      *
67      * Indicating the following are required:
68      *  - decryption of CONNECT request
69      *  - URL translation from relative to absolute form
70      *  - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
71      *  - encrypted outbound server connections
72      *  - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
73      */
74     bool tunnelSslBumping = false;
75 
76     /** true if the traffic is in any way intercepted
77      *
78      */
isIntercepted()79     bool isIntercepted() { return natIntercept||tproxyIntercept ;}
80 };
81 
82 } // namespace AnyP
83 
84 #endif
85 
86